Virtual Analysis Authorizations – Part 2: Solution Details
In SAP NetWeaver BW release 7.3 a new Analysis Authorizations BAdI was introduced: BAdI RSEC_VIRTUAL_AUTH_BADI as part of Enhancement Spot RSEC_VIRTUAL_AUTH. The authorized values or hierarchy nodes can be determined dynamically during query runtime. It does not require any Analysis Authorization objects and PFCG Roles. Virtual Authorizations can be used to enhance any existing “classic” authorization model. I.e. you do not have to make an exclusive choice for one or the other, both classic and virtual can be used simultaneously and complementary.
I would like to share my implementation experience with virtual Profit Center and Cost Center authorizations. For an introduction please read my blog Virtual Analysis Authorizations – Part 1: Introduction. In this blog we will discuss the use case and chosen approach, the solution overview, the control tables and default hierarchies. All implementation details you can find in my document Implementing Virtual Analysis Authorizations.
As already mentioned in my previous blog, our use case was Profit Center and Cost Center authorizations. We had to deal with hierarchy authorizations as well as value authorizations. There existed multiple hierarchies which had to be authorized on many hierarchy nodes. We urgently needed a more dynamic and flexible approach.
We implemented Virtual Authorizations for Profit Center and Cost Center authorizations next to the classic model for all other Analysis Authorizations. We tried to mitigate the “compliance issue” by introducing a Profit Center Basic and Cost Center Basic authorization object with only : (aggregation) and # (unassigned) authorization. These objects are checked by the BAdI and the Profit Center and Cost Center authorization is only processed if the respective “basic” object is assigned to the user. In our case that was a role-based assignment. This way we enhanced the Virtual Model:
- An additional access key is required to get authorized;
- It will the improve the traceability and auditability;
- It will increase the compliance with security standards.
Virtual authorizations can be realized by implementing BAdI RSEC_VIRTUAL_AUTH_BADI as part of Enhancement Spot RSEC_VIRTUAL_AUTH. The Analysis Authorizations are determined dynamically, i.e. during query runtime. Both value and hierarchy authorizations are supported.
Authorizations per user have to be maintained using two central control tables:
- Value authorizations;
- Hierarchy authorizations.
Both control tables can be maintained using their own table maintenance dialog. It is recommended to maintain the control tables in every system separately (i.e. no transports) to remain as flexible as possible. An initial mass upload could be facilitated by LSMW (Legacy System Migration Workbench).
Those control tables only have to maintained once for the respective basis Characteristic, i.e. Profit Center and Cost Center. The authorization for Display Attributes and Navigational Attributes is automatically derived and processed by the BAdI.
The hierarchy authorizations are maintained in control table ZBW_VIRTAUTH_HIE that looks almost equal to table RSECHIE. Here we can enter a Profit Center or Cost Center hierarchy authorization for a particular user.
Figure 1: Control Table – Hierarchy Authorization
The value authorizations are maintained in control table ZBW_VIRTAUTH_VAL that looks almost equal to table RSECVAL. Here we can enter a Profit Center or Cost Center value authorization for a particular user.
Figure 2: Control Table – Value Authorization
Another requirement was to be able to generate hierarchy authorization based on value authorization. The rationale behind it is that the majority of reports are based on “default hierarchies”. Particular roles like Cost Center responsible do not get any hierarchy authorization and as a consequence were not able to run those reports. At the same time, we wanted to prevent double maintenance.
The solution was to define a third control table for Default Hierarchies: ZBW_VIRTAUTH_DEF. Here you can enter one or more default hierarchies for a Characteristic. The BAdI will then generate the hierarchy authorization for the default hierarchy restricted to the authorized values as leaves in the hierarchy.
Figure 3: Control Table – Default Hierarchy
In the example above we have defined the (standard) hierarchy 1000KP1000 as default hierarchy for Cost Center.
In this blog we discussed the use case and chosen approach, the solution overview, the control tables and default hierarchies. All implementation details you can find in my document Implementing Virtual Analysis Authorizations.